Release notes CipherMail Email Encryption Gateway

2.9.0-0 (2014-09-24)

new

Global Skip calendar messages property added which will skip encryption and signing if the message is a meeting
request (Outlook cannot handle encrypted or signed meeting requests).

PGP sign only is now supported. "Only sign when encrypt" now also works for PGP messages. S/MIME signing is tried
before PGP signing, i.e., if a sender has a valid S/MIME signing key, the message will be S/MIME signed. If the
sender does not have a valid S/MIME signing key but has a valid PGP signing key, the message will be PGP signed.
Signing of PDF encrypted email now also supports PGP signing if a valid PGP signing key is available.

Allow administrator to disable auto decryption. The PGP handler can now be configured to not decrypt incoming email.
Disabling PGP decryption requires a change to config.xml (GATEWAY-81)

Improvements/Changes

PGP universal gateway uses non standard encoding for PGP/MIME. The header x-pgp-encoding-format is now
used to detect PGP/MIME encoding for messages generated by PGP Universal (GATEWAY-83)

BlackBerry add-in handling is not longer enabled by default. The add-in is only for for BB OS 7 and lower using BIS.
BB 10 does not use BIS so for BB 10 the add-in is not required.

PGP signatures are now created as a text signature and not as a binary signature. This is a workaround for an Enigmail
bug in Enigmail 1.7 (Enigmail bug 329)

PGP/MIME encrypted messages now use inline as default disposition. This is similar to how Enigmail sets the
disposition and allows Mailvelope to open PGP/MIME encrypted email.

BouncyCastle jar updated to 1.51

Spring jars updated to 3.2.9

Web GUI: Spring security jars updated to 3.2.5

Web GUI: Incorrect logins are now cached for 5 min (was 1 min).

Web GUI: Mobile settings link disabled by default since the BB add-in is no longer enabled by default.

Web GUI: Minor changes to settings page. Some settings were moved to additional settings and vice versa. Some settings
were grouped differently.

Bug fix

Startup fails if the Linux free command is localized (for example German language). A fallback to /proc/meminfo is
added if free does not return the required info (GATEWAY-80)

PGP/MIME signatures were invalid if a multipart message contained extra newlines at the end of the message. Zimbra
mail client added additional empty lines at the end of a multipart message. The additional empty lines are now removed
before signing.

Virtual Appliance: The NTP settings cannot be changed. Ubuntu 14.04 uses a different name for ntp server settings
(GATEWAY-79)

2.8.6-3 (2014-07-27)

Bug fix

Fix for GATEWAY-78. Gateway could no longer start due to an
incompatible change in a recent update of OpenJDK (more info).

2.8.6-2 (2014-06-19)

new

OpenPGP support.

RPM for SUSE added (initial release, only tested on last release of OpenSUSE).

A PDF reply now sets the In-Reply-To header. Conversation threading is now supported, i.e., the email client can now

group the original message and the reply.

A comment field has been added to the user, domain and global properties.

Improvements/Changes

The gateway product has been renamed to CipherMail (the company that owns CipherMail is still called DJIGZO).

SOAP port changed from 9000 to 9009 to prevent a port conflict with nCipher netHSM.

Default Max. message size for SMIME and PDF is not set to 50MB

PDF encrypted email uses the same Message-Id as the original message.

MPA logging was improved. More information is provided as to why messages are handled in a certain way.

Lots of internal changes to allow new functionality to be dynamically added as plugins.

Bug fix

Recent version of OpenJDK register additional DataHandler's which can conflict with the way the back-end handles
certain attachments. The additional DataHandler's are now ignored.

The fallback charset providers were accidentally disabled. They are now enabled again.

2.5.0-4 (2013-05-07)

Improvements/Changes

a page has been added on which a MIME encoded email can be uploaded for text extraction. This allows the admin to
see which text the DLP scanner uses for pattern matching.

PDF option Send CC to replier added. If set, a CC of the PDF reply will be sent to the replying user.

S/MIME option Skip import of untrusted certificates added. By default all certificates from a signed email will be
imported even if untrusted. By enabling Skip import of untrusted certificates, only trusted certificates
are imported.

Signing subject trigger option added. This can be used to force signing of email if the subject contains a user
defined keyword (keyword can be removed if configured).

Password strength check/estimate is added to the portal password selection/change pages. The minimum required password
strength can be set by the administrator. By default you are not allowed to use your email address as your password or
base your password on your username or use a qwerty sequence of more than 5 characters.

System page added on which the server can be restarted/rebooted and Postfix stopped/started.

Three custom properties and templates added. These properties and templates can be used if the mail flow (config.xml)
is modified by the admin and the changes require some user configurable options.

A page has been added with which an email can be sent. This is helpful for testing purposes.

French language support added to portal

WEB GUI is automatically logged off after 5 min. of inactivity.

The HTML text extractor for the DLP scanner now by default skips HTML comments. This makes it less likely to have
false positives for certain patterns (for example SSN pattern)

The HTML text extractor for the DLP scanner now by default only scans the HTML body. This makes it less likely to have
false positives for certain patterns (for example SSN pattern)

The HTML text extractor now also scans application/xhtml+xml attachments.

"Dynamic" memory allocation is now enabled by default for the DEB and RPM packages. The DJIGZO back-end now by default
uses a heap size of 0.6 * available memory.

The back-end SMTP server no longer adds a received header. This makes it easier to remove internal IP addresses from
the received headers using Postfix header checks.

Backup's are now gzip'd.

Changing the Web GUI IP filter no longer requires a restart of the web server. The IP filter settings are read from
/etc/djigzo/ip-filter.properties.

Max inline body of PDF is now by default 256K. If the text is larger that max, the text will be added as a text
attachment.

Back-end logs now rotate at 10MB (was 5MB)

The SMS option "Phone number allowed" is no longer enabled by default. Note: This is a non-backward compatible change
since the default value changed. To revert back to the old behavior, enable the global "Phone number allowed" option.

sudo usage has been simplified. Scripts will now be executed from scripts.d.

Some jars updated to newer releases

Support for right to left (RTL) text added to the PDF encryption module.

Support for multiple SMS transports added.

The DLP scanner now also extracts the meta content of MIME parts. This can for example be used to block or quarantine
certain attachment types. The attachment type is detected from the content of the attachment and not from the
filename.

Comodo classes have been removed for now since the Comodo EPKI nog longer allowed certificates to be automatically
requested (the Comodo module will probably be added in later versions)

Changing the automatic backup cron expression no longer requires a restart. The backup job will be rescheduled.

The signature algorithm identifier of a signed email changed between RFC 3851 and RFC 5751. RFC 5751 uses for example
sha-1 whereas RFC 3851 uses sha1. The gateway by default follows RFC 5751. Some anti-spam gateways however cannot
handle the new RFC 5751 syntax. The SMIMESign mailet can be configured to revert back to RFC 3851.

URL detection for the PDF module has been improved.

The reply link in the PDF is now a clickable image.

OpenJDK 7 is now supported.

WEB GUI look and feel updated. Moved some functionality to different pages (for example SMS queue is not part of the
Queues page). Most menu items can be dynamically extended to support add-ins.

JCE policy manager page removed since this is not longer required with OpenJDK.

Most pages now close after applying the settings instead of showing "settings applied".

Bug fix

2.1.1 (2011-08-16)

New

Advanced S/MIME setting "Always use freshest signing certificate" added. If checked, every time the
sender needs to sign a message, the most recent (i.e., the latest "not before" date) signing certificate will be used
(GATEWAY-14).

Advanced PDF setting "Only encrypt if mandatory" added (GATEWAY-22).
If checked, PDF encryption will only be activated if encryption is mandatory.

DLP setting "Quarantine on failed encryption" added. If checked and encryption is mandatory and a message cannot be encrypted,
the message will be quarantined and not "bounced". Note: this required minor changes to the "DLP quarantine" template.

Quarantined emails can now be "released as-is". When a quarantined email is released as-is, no further processing of the email
is done and the email is immediately delivered.

The admin can now specify how many rows the grid should show per page (users, certificates, MTA queue)
(GATEWAY-23)

The admin can now filter for specific email in the MTA queue.

The MTA logs are now by default shown in "raw" format (i.e., in exact same order as the log file). To view the MTA
logs grouped on queue ID (the old behavior), the admin should select "Grouped".

If a certificate chain is valid, the issuer of the certificate in the certificate view can be clicked
to open the issuer certificate view.

Improvements

The BlackBerry and mobile settings are moved to a specialized mobile settings page. New role ROLE_MOBILE_MANAGER added.

Some settings are moved to advanced settings.

New charsets can be added to the PDF encryption module (should be enabled from the command line) to support
charsets not supported "out of the box" by Acrobat reader. For example certain Turkish characters are not supported
"out of the box" by Acrobat reader (GATEWAY-20)

If a certificate was available for a recipient, a user object was always created for that recipient. This resulted
in a lot of users when domain to domain encryption was used.
The user is no longer added by default. A new S/MIME advanced setting "Add user" is added which can be used to
specify whether a user should be added when a certificate is available for a recipient.

Djigzo has the capability of adding certain headers to the signed and or encrypted inner MIME part. This can be
used to protect certain headers (for example the subject). However there are some S/MIME gateways that cannot handle
S/MIME messages with headers within inner MIME parts (for example Antigen). Because interoperability is important,
the subject header protection has been disabled by default (GATEWAY-31).

Bug fix

With S/MIME "strict mode" enabled, S/MIME messages were only handled by the S/MIME handler if the recipient
had a valid certificate with private key. If a digitally signed message was received for a recipient
not having a private key, the certificates were not extracted from the message and the signature was not removed when
"Remove signature" was enabled for that recipient. The message is now always handled by the S/MIME handler.
(GATEWAY-27)

Under certain special conditions, the base64 encoder of Javamail sometimes created lines with more than 76 characters
(only a few characters extra). OpenSSL (which is used by some S/MIME gateways) cannot handle base64 encoded parts
containing lines longer than 76 characters. Javamail has been updated
(GATEWAY-29)

When deleting a large number of email from the MTA queue, the MTA queue can no longer be read until the garbage collector has run
(GATEWAY-32)

2.0.1 (2011-03-18)

Bug fix

Fix for GATEWAY-15. If a message was placed in quarantine because of a DLP violation and the message-id or from
header contained a '%' character, deleting the mail from quarantine resulted in an error .
This bug was reported by Andreas Beier.

Improvement

workaround for non RFC compliant SKI support from Outlook 2010.
For info why this workaround is needed see:
Link 1 and
Link 2.

Javamail updated to 1.4.4 final.

1.4.1-0 (2010-11-12)

New

The Virtual Appliance now allows you to specify which IP addresses can access the Web Admin login page.

Bug fix

Fix for "The PDF reply portal no longer attaches the uploaded attachment" (GATEWAY-12).
This was a regression of a previous bug fix GATEWAY-4.

Fix for "The telephone number in the subject should be detected before removing the encryption trigger"
(GATEWAY-11).

1.4.0-5 (2010-08-23)

New

Different certificate request handlers can now be added using a pluggable infrastructure.

Certificate request handler for Comodo has been added. With the Comodo certificate request handler, certificates
from Comodo's managed PKI services (EPKI) can be automatically requested from the gateway.

Certificates can now be requested in bulk. A comma separated text file containing the request details can be
imported. The certificates will be requested using the selected certificate request handler.

Email encryption header trigger has been added. Encryption of email can be triggered using a pre-defined email
header (matched against a regular expression).

A certificate can now be automatically requested for a sender using the default selected certificate request
handler (only if the sender does not yet have a valid certificate with private key).

Improvement

When a large number of certificates were imported (60000 certificates) the certificates view (UI) was no longer
'snappy' enough. The certificate view has been optimized (only noticeable with large number of certificates).

Some UI menu items are moved to left-hand submenu.

SMS settings menu item has been moved to the SMS page.

The message template to edit should now be selected from a drop down select.

The restart and PDF import attachment wait animation has been replaced with an animated gif.

Upgraded to new version of CXF. The soap port is now by default only accessible from localhost.

Added note to Virtual Appliance documentation about reserving memory to prevent swapping (thanks goes to
Andreas Beier for his help in finding the cause of spurious crashes when running under ESX when the total
memory used by all VMs was larger than the total host memory).

Bug fix

Signature check sometimes failed for clear signed message which were clear signed.

1.2.3-1 (2009-09-01)

New

Monitor command line tool added which can be used to monitor the MPA queue.

Authentication and authorisation is now possible using an external LDAP.

Improvement

encoded smime.p7m filenames are now recognized.

Bug fix

Some "Received" headers were sorted in incorrect order (reported by Steven Geerts).

The mx setting on the MTA page was reversed (reported by Steven Geerts). upgrade notes

The telephone number on the subject was not picked up when the subject only contained the telephone number.

If the virtual appliance was given more than 2048 MB Djigzo did not start (reported by Stefan Schwarz).

1.2.3 (2009-07-01)

Bug fix

The CRL distribution point did not contain an issuer. When Outlook option SigStatusNoCRL was enabled Outlook reported that the CRL was not available. The CRL distribution
point is now moved to the end-user certificate. This has been reported by Mark van Voorden.

If a CA certificate was not yet setup and apply was selected on the CA select page an error occurred.

1.2.2 (2009-06-02)

New

built-in CA added. The CA can issue certificates for internal and external users

Telephone numbers specified on the subject can be used as for the SMS Text message number

VMware tools can be rebuild from menu

Improvement

BB add-on. Attachment not supported by the Blackberry are stripped. HTML only mail is converted to text

BB add-on. Large attachment are now supported

Root certificate is added when exporting certificates and when signing messages